OAV Request For Comment OAV-RFC 0-001

OAV Request For Comment OAV-RFC 0-001
by Howard Fuhs
Version 1.01
Initiated: 29.05.2002
Last changed: 06.06.2002

OAV-ICVAT changed into OAV-VAT
New rule #8 adedd
Some minor sentences deleted

Document maintainer: Howard Fuhs
Send all suggested changes for OAV-RFC 0-001 to:  
hfuhs at openantivirus dot org


OAV Virus Analysis Team (OAV-VAT)

As it is the task of the Open Anti Virus Project to provide solutions 
against computer viruses and malware to the computer users the 
foundation members of the OAV project are facing the ethical and 
practical problem of how to handle samples of viruses and malware 
within their project.

To comply with their tasks it is neccessary to distribute virus and 
malware samples within the OAV project to different 
developers/persons. On the other hand everything possible must be 
done by the OAV members to prevent that some might come to the 
conclusion that OAV is just another public virus exchange board open 
to everyone who wants malware.

Regarding the given facts and the problems which arise from them it is 
inevitable to limit the access to the OAV Malware Sample Base (OAV-
MSB) to the absolute neccessary amount of people on the need to 
know/have basis.

As it is in most situations of life, granting access to the OAV Malware 
Sample Base (OAV-MSB) is a matter of personal trust between the 
active members of the OAV Virus Analysis Team (OAV-VAT) and the 
person who is applying for access to the OAV Malware Sample Base 
(OAV-MSB) and therfore automatically applying for OAV Virus Analysis 
Team (OAV-VAT) membership.

Moreover it is neccessary to set up certain rules under which access to 
the OAV Malware Sample Base (OAV-MSB) is granted.

1. Every person is entitled to apply for OAV Virus Analysis Team (OAV-
VAT) membership.

2. As the membership to the OAV Virus Analysis Team (OAV-VAT) is a 
personal membership no company can apply for membership.

3. The candidate has to apply with a CV (curriculum vitae), a 
description of his doings and professional backgrounds regarding data 
security and give good reasons why OAV should grant access to the 
OAV Malware Sample Base (OAV-MSB).

4. The candidate has to meet at least 50% of the OAV Virus Analysis 
Team (OAV-VAT) personally for discussions about his background and 
his reasons to join the OAV Virus Analysis Team (OAV-VAT). During 
the personal meeting the candidate has to provide a valid and signed 
PGP-Key to the members of the OAV Virus Analysis Team (OAV-VAT). 
PGP keys sent by e-mail will not be accepted.

5. It is the obligation of every candidate to build up professional and 
responsible relationships through cooperation with OAV Virus Analysis 
Team (OAV-VAT) to proof his trustworthyness. Trust will not 
automatically be given - trust must be earned.

6. The members of the OAV Virus Analysis Team (OAV-VAT) will have 
a vote on whether to accept the candidate or not.

7. The candidate will only be accepted if ALL members of the OAV 
Virus Analysis Team (OAV-VAT) give a positive vote. If one member 
does not accept the candidate, the candidate is rejected.

8. An accepted candidate will have six month of probation. During that 
time the new member can request specific viruses but will not have 
access to the whole OAV Malware Sample Base (OAV-MSB).

9. The rejected candidate will have the opportunity to reapply for 
membership after one year. In the mean time it is the obligation of the 
future candidate to act according paragraph 5.

It is the obligation of every OAV Virus Analysis Team (OAV-VAT) 
member to handle any malware samples responsible and secure. It is 
not allowed to OAV Virus Analysis Team (OAV-VAT) members to share 
malware samples outside of the OAV Virus Analysis Team.